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Trust  management  for  mobile  ad  hoc  networks  (MANETs)  has  emerged  as  an  active 
research  area  as  evidenced  by  the  proliferation  of  trust/reputation  protocols  to  support 
mobile  group  based  applications  in  recent  years.  In  this  paper  we  address  the  performance 
issue  of  trust  management  protocol  design  for  MANETs  in  two  important  areas:  trust  bias 
minimization  and  application  performance  maximization.  By  means  of  a  novel  model- 
based  approach  to  model  the  ground  truth  status  of  mobile  nodes  in  MANETs  as  the  basis 
for  design  validation,  we  identify  and  validate  the  best  trust  protocol  settings  under  which 
trust  bias  is  minimized  and  application  performance  is  maximized.  We  demonstrate  the 
effectiveness  of  our  approach  with  an  integrated  social  and  quality-of-service  (QoS)  trust 
protocol  (called  SQTrust)  with  which  we  identify  the  best  trust  aggregation  setting  under 
which  trust  bias  is  minimized  despite  the  presence  of  malicious  nodes  performing  slander¬ 
ing  attacks.  Furthermore,  using  a  mission-oriented  mobile  group  utilizing  SQTrust,  we 
identity  the  best  trust  formation  protocol  setting  under  which  the  application  performance 
in  terms  of  the  system  reliability  of  the  mission-oriented  mobile  group  is  maximized. 

©  2014  Elsevier  B.V.  All  rights  reserved. 


1.  Introduction 

The  concept  of  “trust”  originally  derives  from  social  sci¬ 
ences  and  is  defined  as  the  subjective  degree  of  a  belief 
about  the  behaviors  of  a  particular  entity.  Blaze  et  al.  [7] 
first  introduced  the  term  “Trust  Management”  and  identi¬ 
fied  it  as  a  separate  component  of  security  services  in  net¬ 
works  and  clarified  that  “Trust  management  provides  a 
unified  approach  for  specifying  and  interpreting  security 
policies,  credentials,  and  relationships.”  Many  researchers 
in  the  networking  and  communication  field  have  defined 
trust  differently  such  as  “a  belief  on  reliability,  dependability, 


*  Corresponding  author.  Address:  Department  of  Computer  Science, 
Virginia  Tech,  7054  Haycock  Road,  Falls  Church,  VA  22043,  United  States. 
Tel.:  +1  (703)  538  8376;  fax:  +1  (703)  538  8348. 

E-mail  addresses:  irchen@vt.edu  (I.-R.  Chen),  jiaguo@vt.edu  (J.  Guo), 
baofenye@vt.edu  (F.  Bao),  jinhee.cho@us.army.mil  (J.-H.  Cho). 

http://dx.doi.Org/10.1016/j.adhoc.2014.02.005 
1570-8705/©  2014  Elsevier  B.V.  All  rights  reserved. 


or  security"  [24],  “a  belief  about  competence  or  honesty  in 
a  specific  context”  [3],  and  “reliability,  timeliness,  and 
integrity  of  message  delivery”  [25].  Trust  management  is 
often  used  with  different  purposes  in  diverse  decision 
making  situations  such  as  secure  routing  [5,31,34,37], 
key  management  9,18],  authentication  [29],  access  control 
[1],  and  intrusion  detection  [2,20,23,38,49], 

Trust  management  for  mobile  ad  hoc  networks  (MAN¬ 
ETs)  (see  [10,48]  for  a  very  recent  survey  of  the  topic) 
has  emerged  as  an  active  research  area  as  evidenced  by 
the  proliferation  of  trust/reputation  protocols  [2, 3, 5, 6, 8- 
10,14-16,18,19,25-27,29,31,34,35,40,48,50,57-63,72,76,77] 
to  support  mobile  group  based  applications  in  recent 
years.  Untreated  in  the  literature  10,48],  in  this  paper 
we  address  the  performance  issue  of  trust  manage¬ 
ment  protocol  design  for  MANETs  in  two  important  areas: 
trust  bias  minimization  and  application  performance 
maximization. 
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Relative  to  existing  works  for  MANET  trust  manage¬ 
ment  cited  above,  this  paper  has  the  following  specific 
contributions: 

•  First,  we  develop  a  new  trust  management  protocol 
(SQJrust)  based  on  a  composite  social  and  QoS  trust 
metric,  with  the  goal  to  yield  peer-to-peer  subjective 
trust  evaluation.  A  mobile  ad  hoc  group  very  frequently 
comprises  human  operators  carrying  communication 
devices.  Thus,  in  addition  to  traditional  QoS  trust  metrics 
such  as  control  packet  overhead,  throughput,  packet 
dropping  rate,  delay,  availability  and  fault  tolerance, 
one  must  also  consider  social  trust  metrics  [42]  includ¬ 
ing  friendship,  honesty,  privacy,  similarity,  betweenness 
centrality  and  social  ties  [12,13]  for  trust  management. 
We  note  that  prior  works  such  as  [12,13,17,20,39,41,44] 
also  considered  social  trust  metrics  in  communication 
networks.  Our  work  distinguishes  itself  from  these  prior 
works  in  that  we  identify  the  best  trust  aggregation 
parameter  settings  for  each  individual  trust  metric 
(either  QoS  or  social)  to  minimize  trust  bias. 

•  Second,  we  propose  a  novel  model-based  evaluation 
technique  for  validating  SQTrust  based  on  the  concept 
of  objective  trust  evaluation  which  utilizes  knowledge 
regarding  the  operational  and  environment  conditions 
to  yield  the  ground  truth  against  which  subjective  trust 
values  obtained  from  executing  SQTrust  can  be  com¬ 
pared  for  validation.  Our  analysis  methodology  hinges 
on  the  use  of  Stochastic  Petri  Net  (SPN)  modeling  tech¬ 
niques  [30,36,64-68,73-75]  for  describing  the  “actual” 
dynamic  behaviors  of  nodes  in  MANETs  in  the  presence 
of  well-behaved,  uncooperative  and  malicious  nodes. 
With  this  methodology,  we  identify  the  optimal  trust 
parameter  settings  under  which  SQTrust  is  most  accu¬ 
rate  compared  with  global  knowledge  and  actual  node 
status. 

•  Finally,  we  consider  a  new  design  concept  of  applica¬ 
tion-level  trust  optimization  by  identifying  the  best  way 
to  form  the  overall  trust  out  of  individual  social  and 
QoS  trust  metrics  to  maximize  application  performance. 
Using  a  mission-oriented  mobile  group  utilizing 
SQTrust,  we  identity  the  best  trust  formation  protocol 
setting  under  which  the  application  performance  in 
terms  of  the  system  reliability  of  the  mission-oriented 
mobile  group  is  maximized. 

The  rest  of  the  paper  is  organized  as  follows.  Section  2  de¬ 
scribes  the  system  model  and  assumptions.  Section  3  de¬ 
scribes  SQTrust  and  explains  how  it  is  executed  by  each 
node  to  perform  peer-to-peer  subjective  trust  evaluation. 
Section  4  develops  a  novel  model-based  approach  to  de¬ 
scribe  dynamic  behaviors  of  nodes  in  MANETs  in  the  pres¬ 
ence  of  misbehaving  nodes  with  the  objective  to  yield 
objective  trust  against  which  subjective  trust  from  execut¬ 
ing  SQTrust  may  be  compared  for  trust  bias  minimization, 
including  overhead  analysis  and  an  application  scenario 
involving  a  lead  node  dynamically  selecting  a  number  of 
nodes  it  trusts  most  for  mission  execution  for  reliability 
maximization.  Section  5  presents  analytical  results  with 
physical  interpretations  given.  Section  6  presents  simula¬ 
tion  results  for  simulation  validation.  Section  7  discussed 


related  work  so  as  to  differentiate  our  work  from  existing 
work  and  identity  unique  features  and  contributions  of 
our  trust  protocol  design  for  MANETs.  Section  8  discusses 
applicability.  Finally,  Section  9  summarizes  the  paper  and 
outlines  future  research  areas. 

2.  System  model 

2.1.  Operational  profile 

We  follow  the  notion  of  “ operational  profiles"  in  soft¬ 
ware  reliability  engineering  [28  as  input  to  specify  the 
anticipated  operational  and  environment  conditions.  Spe¬ 
cifically,  a  system’s  operational  profile  provides  knowledge 
regarding  (a)  environment  hostility,  i.e.,  how  often  nodes 
are  compromised;  (b)  node  mobility,  i.e.,  how  often  nodes 
meet  and  how  they  interact  with  each  other;  (c)  node 
behavior,  i.e.,  how  nodes  will  behave  based  on  node  status 
including  good  behaviors  by  good  nodes  and  bad  behaviors 
by  bad  nodes;  (d)  environment  resources,  i.e.,  the  initial 
energy  each  node  has  and  how  fast  energy  is  consumed 
by  good  or  bad  nodes;  and  (e)  system  failure  definitions 
including  both  operational  and  security  failure  conditions. 
Later  in  Section  5,  we  will  exemplify  the  input  operational 
profile  for  a  mobile  group  application  in  MANET  environ¬ 
ments.  An  operating  profile  does  not  represent  a  controlled 
setting.  For  example,  hostility  and  node  behavior  as  part  of 
the  operational  profile  merely  specify  per-node  compro¬ 
mise  rate  and  energy  consumption/cooperativeness  behav¬ 
ior  but  do  not  tell  us  which  nodes  are  compromised  and/or 
uncooperative  over  time.  In  response  to  operational  or 
environment  changes  (e.g.,  change  of  hostility),  the  system 
using  the  results  obtained  in  the  paper  can  adaptively  ad¬ 
just  trust  settings  to  optimize  application  performance. 

2.2.  SQTrust  design  goals 

SQTrust  is  distributed  in  nature  and  is  run  by  each  mo¬ 
bile  node  to  subjectively  yet  informatively  assess  the  trust 
levels  of  other  mobile  nodes.  Further,  SQTrust  is  resilient 
against  misbehaving  nodes.  Given  the  operational  profile 
as  input  covering  a  wide  range  of  operational  and  environ¬ 
ment  conditions,  we  aim  to  satisfy  and  validate  the  follow¬ 
ing  two  design  goals: 

•  Discover  and  apply  the  best  trust  aggregation  protocol 
setting  of  SQTrust  to  make  “subjective  trust”  accurate 
compared  with  “objective  trust”  despite  the  presence 
of  misbehaving  nodes.  The  desirable  output  is  to 
achieve  high  accuracy  in  peer-to-peer  subjective  trust 
evaluation  with  high  resiliency  to  malicious  attacks. 

•  Discover  and  apply  the  best  trust  formation  to  maxi¬ 
mize  application  performance.  For  the  mission-oriented 
mobile  group  application,  the  desirable  output  is  to 
maximize  the  system  reliability  given  a  system  failure 
definition. 

2.3.  Node  behavior 

Node  behavior  is  part  of  the  operational  profile.  While 
our  model-based  analysis  technique  is  generally  applicable 
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to  any  node  behavior  specification,  for  illustration  we  con¬ 
sider  the  following  node  behavior  specification  in  this 
paper: 

•  Every  node  shall  conserve  its  resources  (e.g.,  energy)  as 
long  as  it  does  not  jeopardize  the  global  welfare  (i.e., 
successful  mission  execution).  Thus,  when  a  node 
senses  that  it  is  surrounded  by  many  uncooperative 
1-hop  neighbors,  it  will  tend  to  become  cooperative  to 
ensure  successful  mission  execution.  On  the  other  hand, 
a  node  with  many  cooperative  1-hop  neighbors  around 
will  tend  to  become  uncooperative  to  conserve  its 
resources,  knowing  that  this  will  not  jeopardize  the  glo¬ 
bal  welfare.  Also,  mission  successful  execution  is  the 
ultimate  goal  and  means  for  performance  evaluation, 
so  if  a  mission  has  a  high  degree  of  difficulty,  a  node 
tends  to  be  cooperative.  In  our  protocol  design,  each 
node  (node  i)  keeps  a  peer-to-peer  trust  value  in  coop¬ 
erativeness  n°operativeness  toward  another  node  (node  j)  in 
the  same  mobile  group.  With  trust  bias  minimization  in 
effect,  Tc°operati"er,ess  is  close  to  the  actual  status.  Thus,  a 
node  can  simply  use  its  pee-to-peer  subjective  cooper¬ 
ativeness  trust  toward  its  neighbors  to  determine  if  it 
can  conserve  energy  or  not.  If  a  node  sees  it  being  a 
bridge  node  connecting  other  nodes  in  the  same  mobile 
group,  then  it  satisfies  the  ‘global  welfare’  condition  for 
it  to  be  cooperative,  because  otherwise  the  mobile 
group  it  is  a  part  of  will  be  partitioned  into  2. 

•  A  node's  vulnerability  is  reflected  by  a  compromised 
rate,  e.g.,  a  capture  by  attackers  after  which  the  node 
is  compromised.  After  a  node  is  compromised,  we 
assume  it  attacks  persistently.  That  is,  it  attacks  when¬ 
ever  it  has  a  chance.  More  sophisticated  attacks  such  as 
random  and  opportunistic  attacks  [49,53-56]  are  not 
considered  in  this  work. 

•  Every  node  has  a  different  level  of  energy,  speed  and 
vulnerability  reflecting  node  heterogeneity.  The  energy 
consumption  rate  of  a  node  depends  on  its  status.  If  a 
node  is  uncooperative,  the  speed  of  energy  consump¬ 
tion  is  slowed  down  since  an  uncooperative  node  will 
not  follow  protocol  execution.  If  a  node  becomes  com¬ 
promised,  the  speed  of  energy  consumption  increases, 
as  it  persistently  performs  attacks  which  consume 
energy. 

•  A  compromised  node  may  perform  slandering  attacks, 
(e.g.,  good-mouthing  bad  nodes  and  bad-mouthing 
good  nodes),  identity  attacks  (e.g.,  Sybil)  or  Denial-of- 
Service  (DoS)  attacks  (e.g.,  consuming  resources  unnec¬ 
essarily  by  disseminating  bogus  packets).  We  assume 
that  a  compromised  node  will  always  perform  attacks 
on  good  nodes  and  does  not  discriminate  good  nodes 
when  performing  attacks. 

2.4.  Mission-oriented  mobile  groups 

As  an  application  of  SQTrust,  we  apply  it  to  mission-ori¬ 
ented  mobile  groups.  A  mission-oriented  mobile  group 
consists  of  a  number  of  mobile  nodes  cooperating  to  com¬ 
plete  a  mission,  with  one  node  being  the  lead  node  of  the 
group.  Upon  a  membership  change  due  to  join  or  leave, 
rekeying  can  be  performed  based  on  a  distributed  key 


agreement  protocol  such  as  the  Group  Diffie-Hellman 
(GDH)  protocol  33].  For  mission-critical  applications,  it  is 
frequently  required  that  nodes  on  a  mission  must  have  a 
minimum  degree  of  trust  for  the  mission  to  have  a  reason¬ 
able  chance  of  success.  On  one  hand,  a  mission  may  require 
a  sufficient  number  of  nodes  to  collaborate.  On  the  other 
hand,  the  trust  relationship  may  fade  away  between  nodes 
both  temporarily  and  spatially.  SQTrust  equips  each  node 
with  the  ability  to  subjectively  assess  the  trust  levels  of 
other  nodes  and  select  highly  trustworthy  nodes  for  collab¬ 
oration  to  maximize  the  probability  of  successful  mission 
execution. 

3.  SQTrust  -  A  multi-trust  protocol  for  MANETs 

In  this  section,  we  first  describe  our  SQTrust  protocol  to 
be  executed  by  every  node  at  runtime  as  a  concrete  trust 
protocol  for  trust  optimization.  Then  we  discuss  its  appli¬ 
cation  to  reliability  assessment  of  a  mission-oriented  mo¬ 
bile  group  in  MANET  environments. 

3.1.  Trust  composition 

Taking  into  consideration  of  the  proliferation  of  mobile 
devices  carried  by  humans  in  social  ad  hoc  networks,  our 
trust  metric  consists  of  two  trust  types:  social  trust  [42] 
and  QoS  trust  [10].  Social  trust  is  evaluated  through  inter¬ 
action  experiences  in  social  networks  to  account  for  social 
relationships.  Among  the  many  social  trust  metrics  such  as 
friendship,  honesty,  privacy,  similarity,  betweenness  cen¬ 
trality,  and  social  ties  [13  ,  we  select  social  ties  (measured 
by  intimacy )  and  honesty  (measured  by  healthiness)  to 
measure  the  social  trust  level  of  a  node  as  these  social 
properties  are  considered  critical  for  trustworthy  mission 
execution  in  group  settings.  QoS  trust  is  evaluated  through 
the  communication  and  information  networks  by  the  capa¬ 
bility  of  a  node  to  complete  a  mission  assigned.  Among  the 
many  QoS  metrics  such  as  competence,  cooperation,  reli¬ 
ability,  and  task  performance,  we  select  competence  (mea¬ 
sured  by  energy)  and  protocol  compliance  (measured  by 
cooperativeness  in  protocol  execution)  to  measure  the 
QoS  trust  level  of  a  node  since  competence  and  coopera¬ 
tion  are  considered  the  most  critical  QoS  trust  properties 
for  mission  execution  in  group  settings.  Quantitatively, 
let  a  node’s  trust  level  toward  another  node  be  a  real  num¬ 
ber  in  the  range  of  [0,1],  with  1  indicating  complete  trust, 
0.5  ignorance,  and  0  complete  distrust.  Let  a  node's  trust 
level  toward  another  node’s  particular  trust  component 
also  be  in  the  range  of  [0,1]  with  the  same  physical 
meaning. 

The  rationale  of  selecting  these  social  and  QoS  trust 
metrics  is  given  as  follows.  The  intimacy  component  (for 
measuring  social  ties)  has  a  lot  to  do  with  if  two  nodes 
have  a  lot  of  direct  or  indirect  interaction  experiences  with 
each  other,  for  example,  for  packet  routing  and  forwarding. 
The  healthiness  component  (for  measuring  honesty)  is 
essentially  a  belief  of  whether  a  node  is  malicious  or  not. 
We  relate  it  to  the  probability  that  a  node  is  not  compro¬ 
mised.  The  energy  component  refers  to  the  residual  energy 
of  a  node,  and  for  a  MANET  environment,  energy  is  directly 
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related  to  the  survivability  capability  of  a  node  to  be  able 
to  execute  a  task  completely,  particularly  when  the  current 
and  future  missions  may  require  a  long  mission  execution 
time.  Finally,  the  cooperativeness  component  of  a  node  is 
related  to  whether  the  node  is  cooperative  in  routing  and 
forwarding  packets.  For  mobile  groups,  we  relate  it  to  the 
trust  to  a  node  being  able  to  faithfully  follow  the  pre¬ 
scribed  protocol  such  as  relaying  and  responding  to  group 
communication  packets. 

Other  than  the  healthiness  trust  component,  we  assert 
that,  given  a  sufficient  contact  time,  a  node  can  have  fairly 
accurate  trust  assessments  toward  its  1-hop  neighbors  uti¬ 
lizing  monitoring,  overhearing  and  snooping  techniques. 
For  example,  a  node  can  monitor  interaction  experiences 
with  a  target  node  within  radio  range,  and  can  overhear 
the  transmission  power  and  packet  forwarding  activities 
performed  by  the  target  node  over  a  trust  evaluation  win¬ 
dow  At  to  assess  the  target  node’s  energy  and  cooperative¬ 
ness  status.  When  a  monitoring  node  (node  i )  cannot 
properly  monitor  a  trustee  node  (node  j)  because  of  a  short 
contact  time,  it  adapts  to  this  situation  by  discarding  the 
current  monitoring  result  and  instead  updating  direct  trust 
by  its  past  direct  trust  toward  node  j  decayed  over  the  time 
interval  At  to  model  trust  decay  over  time.  For  a  target 
node  more  than  1-hop  away,  a  node  will  refer  to  a  set  of 
recommenders  for  its  trust  toward  the  remote  target  node. 

3.2.  Trust  aggregation 

A  unique  feature  of  our  trust  aggregation  protocol  de¬ 
sign  is  that  we  discover  and  apply  the  optimal  trust  param¬ 
eter  settings  to  minimize  trust  bias,  i.e.,  minimizing  the 
difference  between  subjective  trust  and  objective  trust.  Here 
we  define  specific  trust  parameters  used  in  our  trust  aggre¬ 
gation  protocol  design.  Later  in  Section  5.2  we  leverage  a 
novel  model-based  approach  developed  in  this  paper  to 
discover  the  best  trust  aggregation  protocol  settings  to 
minimize  trust  bias. 

Like  most  trust  aggregation  protocols  for  MANETs 
[10],  we  consider  both  direct  trust  and  indirect  trust. 
That  is,  node  i  evaluates  node  j  at  time  t  by  direct  obser¬ 
vations  and  indirect  recommendations.  Direct  observa¬ 
tions  are  direct  evidences  collected  by  node  i  toward 
node  j  over  the  time  interval  [t  -  d  At,t]  when  node  i 
and  node  j  are  1-hop  neighbors  at  time  t.  Here  At  is 
the  trust  update  interval  and  d  is  a  design  parameter 
specifying  the  extent  to  which  recent  interaction  experi¬ 
ences  would  contribute  to  intimacy.  We  can  go  back  as 
far  as  t  =  0,  that  is,  d  =  t/At,  if  all  interaction  experiences 
are  considered  equally  important.  Indirect  recommenda¬ 
tions  are  indirect  evidences  given  to  node  i  by  a  subset 
of  1-hop  neighbors  selected  based  on  two  mechanisms 
against  slandering  attacks:  (a)  threshold-based  filtering 
by  which  only  trustworthy  recommenders  with  trust 
higher  than  a  minimum  trust  threshold  are  qualified  as 
recommenders,  and  (b)  relevance-based  trust  by  which 
only  recommenders  with  high  trust  in  trust  component 
X  are  qualified  as  recommenders  to  provide  recommen¬ 
dations  about  a  trustee’s  trust  component  X. 

Summarizing  above,  node  i  will  compute  its  trust  to¬ 
ward  node  j,  T*-(t),  where  X  is  a  trust  component  by: 


rfj(t)  =  pj?Ject*(t)  +  (i) 

In  Eq.  (1 ),  /3]  is  a  parameter  to  weigh  node  i's  own  infor¬ 
mation  toward  node  j  at  time  t,  i.e.,  “direct  observations”  or 
“self-information”  and  p2  is  a  parameter  to  weigh  indirect 
information  from  recommenders,  i.e.,  “information  from 
others,”  with  +  p2  -  1. 

The  direct  trust  part,  T*rect,x(t),  in  Eq.  (1)  is  evaluated  by 
node  i  at  time  t  depending  on  if  node  i  is  a  1-hop  neighbor 
of  node  j  at  time  t  and  if  the  data  needed  by  node  i  for 
assessing  X  of  node  j  is  obtainable  during  [t-  dAt,  t].  If 
yes,  then  node  i  uses  its  direct  observations  toward  node 
j  to  update  Tfjrect’x(t)  where  At  is  the  periodic  trust  evalua¬ 
tion  interval.  Otherwise,  node  i  uses  its  old  direct  trust 
assessment  at  time  t  -  At  multiplied  by  e~^At  (for  expo¬ 
nential  trust  decay  over  time)  to  update  Tfjrect’x(t)  Specifi¬ 
cally,  node  i  will  compute  Tfjrect’x(t)  by: 

r  Tj7h°P*(t)  if  i  is  a  neighbor  to  j  at  t 
jdirect,x ^  _  I  and  dat;a  needed  js  obtainable 

(  x  T-JecLX(t  -  At)  otherwise 

(2) 

Here  we  note  that  T*rect-X(t)  replaces  Tf™ct*(t  -  At)  after 
the  computation.  So  there  will  not  be  a  storage  overflow 
problem.  To  account  for  trust  decay  over  time,  we  adopt 
an  exponential  time  decay  factor,  e~*dM,  to  satisfy  the  desir¬ 
able  property  that  trust  decay  must  be  invariable  to  the 
trust  update  frequency  [21  ].  Depending  on  the  trust  evalu¬ 
ation  interval  At,  we  can  fine  tune  the  value  of  Ad  to  test  the 
effect  of  trust  decay  over  time.  The  notation  T]fihopJ<(t)  here 
refers  to  the  new  “direct”  trust  assessment  at  time  t.  We 
adopt  the  Bayesian  trust/reputation  model  [21,43]  with 
the  Beta  (A,  B )  distribution  such  that  A/(A  +  B )  is  the  esti¬ 
mated  direct  trust  toward  a  node  with  A  as  the  number 
of  positive  service  experiences  and  B  as  the  number  of  neg¬ 
ative  service  experiences.  Below  we  describe  specific 
detection  mechanisms  by  which  node  i  collects  direct 
observations  to  assess  Tjjhop,x(t)  for  the  case  in  which  i 
and  j  are  1-hop  neighbors  at  time  t. 

•  Tj -intimacy Intimacy  is  for  measuring  social  ties  and 
has  a  lot  to  do  with  if  two  nodes  have  a  lot  of  direct  or 
indirect  interaction  experiences  with  each  other.  Since 
friendship  and  social  circle  information  is  frequently 
not  available  in  MANET  environments,  T} -^'"^(t) 
can  be  computed  based  on  node  i’s  direct  interaction 
experience  toward  node  j.  Specifically,  it  is  computed 
by  node  i  by  the  proportion  of  time  nodes  i  and  j  are 
1-hop  neighbors  directly  interacting  with  each  other 
during  [t-  dAt,  t].  Note  that  intimacy  is  about  node  i’s 
interaction  experience  with  only  node  j.  It  is  orthogonal 
to  other  trust  properties  such  as  healthiness,  energy  or 
cooperativeness  introduced  below. 

•  T-j  ^healthiness^.  This  refers  tQ  ^  beHef  of  node  j  that 

node  j  is  honest  (or  not  malicious)  based  on  node  i's 
direct  observations  during  [t  -  dAt,  t[.  Node  i  estimates 
Tj-hop, healthiness^  by  the  ratio  Qf  the  number  of  SUSpiciOUS 

interaction  experiences  observed  during  [t  -  dAt,  t]  to  a 
system  “healthiness”  threshold  to  reduce  false  posi¬ 
tives.  Node  i  uses  a  set  of  anomaly  detection  rules 
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including  the  interval  rule  (for  detecting  node  j’s  send¬ 
ing  bogus  messages),  the  retransmission  rule  (for 
detecting  node  j’s  dropping  messages),  the  integrity  rule 
(for  detecting  node  j’s  modifying  messages),  the  repeti¬ 
tion/jamming  rule  (for  detecting  node  j’s  performing 
DOS  attacks),  and  the  delay  rule  (for  detecting  node  j’s 
delaying  message  transmission)  as  in  [32]  to  keep  a 
count  of  suspicious  experiences  of  node  j  during 
[t-dAt,  t].  If  the  count  exceeds  the  “healthiness” 
threshold,  node  i  considers  node  j  as  totally  unhealthy, 

i. e.,  ji-hop, healthiness^  =  q  otherwise  it  is  equal  to  1 

minus  the  ratio.  We  model  the  deficiencies  in  anomaly 
detection  (e.g.,  imperfection  of  rules)  by  a  false  negative 
probability  (P^)  of  misidentifying  an  unhealthy  node  as 
a  healthy  node,  and  a  false  positive  probability  (P"p)  of 
misidentifying  a  healthy  node  as  an  unhealthy  node. 

•  pJ-hopenergy(t):  This  is  the  belief  of  node  i  that  node  j  is 
competent  or  capable  (in  terms  of  energy  status)  of  per¬ 
forming  prescribed  protocol  functions.  Node  i  uses  the 
ratio  of  the  number  of  acknowledgement  packets 
received  from  node  j  (at  the  MAC  layer)  over  transmit¬ 
ted  packets  to  node  j  during  [t-dAt,  t]  to  estimate 
energy  capability  in  node  j.  Here  we  note  that  if  node 
j  acknowledges  every  packet  sent  from  node  i  to  node 

j,  T]jhop,energy (t)  =  1.  So  it  will  not  penalize  a  socially 
active  node. 

.  Tj-hop, cooperativeness {t).  Thjs  provides  the  belief  0f  node  1 

that  node  j  is  protocol  compliant  based  on  direct  obser¬ 
vations  during  [t-dAt,  t]  Node  i  estimates 
Ti -imp, cooperativeness ( ^  by  the  ratio  of  the  number  of  cooper¬ 
ative  interaction  experiences  to  the  total  number  of  pro¬ 
tocol  interaction  experiences.  Note  that  both  counts  are 
related  to  protocol  execution  except  that  the  former 
count  is  for  positive  experiences  when  node  j,  as 
observed  by  node  i,  cooperatively  follows  the  prescribed 
protocol  execution. 


Although  T'7h0penergy  (t)  and  Tj ^op, cooperativeness  ^  aboye 
are  measured  based  on  behavior  exhibited  during  protocol 
execution,  they  refer  to  very  distinct  trust  concepts.  The 
first,  energy  trust,  is  about  if  node  j  is  competent  in  execut¬ 
ing  protocol  functions,  measured  by  if  node  j  is  capable  of 
responding  to  node  i’s  requests,  while  the  second,  cooper¬ 
ativeness  trust,  is  about  if  node  j  is  protocol  compliant,  mea¬ 
sured  by  observing  if  node  j  follows  the  prescribed  protocol 
execution  sequence. 

The  indirect  trust  part,  T'"direct'x(t)  in  Eq.  (1)  is  evaluated 
by  node  i  at  time  t  by  taking  in  recommendations  from  a 
subset  of  1-hop  neighbors  selected  following  the  thresh¬ 
old-based  filtering  and  relevance-based  trust  selection  cri¬ 
teria.  Specifically,  node  i  will  compute  f"frect*(t)  by: 


j-indirect^X 

1  ij 


(t) 


e JTUp<rxu) 

-  „r - -  if  nr  >  0 

e-ldt  x  fndirect*^  _  Af)  jf  ^  =  Q 


(3) 


In  Eq.  (3),  the  trustor  node  (node  i)  first  selects  nr  rec- 
ommenders  (node  m’s)  with  which  it  trusts  the  most  in 
trust  component  X  among  its  one-hop  neighbors  and  then 
requests  these  recommenders  to  send  their  recommenda¬ 
tions.  A  recommender  (node  m)  provides  its  direct  trust 


in  X  toward  node  j  (the  trustee  node),  (t) ,  as  a  recom¬ 

mendation  to  node  i  through  one-hop  communication.  V  is  a 
set  of  nr  recommenders  chosen  by  node  i  from  its  1-hop 
neighbors  which  satisfy  the  threshold-based  filtering  and  rele¬ 
vance-based  trust  selection  criteria.  That  is,  these  are  the  rec¬ 
ommenders  for  which  node  i’s  Tfm(t)  in  trust  component  X  is 
higher  than  a  minimum  threshold  denoted  by  Tf.  Here  we 
note  that  when  a  recommender  node,  say,  node  m,  provides 
its  recommendation  to  node  i  for  evaluating  node  j  in  trust 
component  X,  node  i’s  trust  in  node  m  is  also  taken  into  con¬ 
sideration  in  the  calculation  as  reflected  in  the  product  term 
on  the  right  hand  side  of  Eq.  (3 ).  This  accounts  for  trust  decay 
over  space.  If  nr  =  0  then  T'Td,rect'x  (t)  =  e~A“At  x  T’"dlrect'x(t  -  At) 
to  account  for  trust  decay  over  time. 

3.3.  Trust  formation 

In  this  section  we  define  trust  parameters  used  for  our 
trust  formation  protocol  design.  Later  in  Section  5.3  we  dis¬ 
cuss  how  the  system  can  discover  and  apply  the  best  trust 
formation  parameters  to  maximize  application  perfor¬ 
mance,  given  the  operational  profile  as  input. 

While  many  trust  formation  models  exist  [10],  we 
adopt  the  importance-weighted-sum  model  with  which 
trust  is  an  importance-weighted  sum  of  social  trust  and 
QoS  trust.  It  encompasses  more-social-trust,  more-QoS- 
trust,  social-trust-only,  and  QoS-trust-only  in  trust  forma¬ 
tion.  It  is  particularly  applicable  to  missions  where  context 
information  is  available  about  the  importance  of  social  or 
QoS  trust  properties  for  successful  mission  execution.  For 
example,  for  a  mission  consisting  of  unmanned  mobile 
nodes,  the  more-QoS-trust  or  QoS-trust-only  trust  forma¬ 
tion  model  will  be  appropriate.  The  subjective  trust  value 
of  node  j  as  evaluated  by  node  i  at  time  t,  denoted  as  Tft), 
thus  is  computed  by  node  i  as  a  weighted  average  of  inti¬ 
macy,  healthiness,  energy,  and  cooperativeness  trust  com¬ 
ponents.  The  assessment  is  done  periodically  in  every  At 
interval.  Specifically  node  i  will  compute  Ty(t)  by: 

Tij(t)  =  x  Tf/t)  (4) 

X 

where  T*  (t)  is  the  trust  belief  of  node  i  toward  node  j  in 
trust  component  X  =  intimacy,  healthiness,  energy  or  coop¬ 
erativeness  and  w*  is  the  weight  associated  with  X.  Below 
we  use  the  notation  w1:w2:w3:w4  for  wmt"noq':whea,thiness: 
wenergy.wcooPerativeness  for  notational  convenience.  For  a 

trust-based  application,  the  best  setting  of  w1:w2:w3:w4 
exists  to  maximize  the  application  performance.  Our  mod¬ 
el-based  analysis  allows  the  best  weight  setting  to  be 
determined,  given  the  operational  profile  as  input.  In  this 
paper,  we  shall  demonstrate  this  with  a  MANET  mobile 
group  application. 

Lastly,  depending  on  the  mobile  application,  nodes  in  a 
mobile  group  may  join  or  leave  the  mobile  group.  For  a 
non-member,  say,  node  j,  the  trust  level  T,j(t)  is  the  same 
as  its  trust  level  at  the  last  trust  evaluation  instant  t  -  At 
discounted  by  time  decay,  that  is,  Tjj(t)  =  e~'dM  x  T^jt  -  t). 

An  interesting  metric  is  the  overall  average  “subjective” 
trust  level  of  node  j,  denoted  by  T-Ub(t),  as  evaluated  by  all 
active  nodes.  Once  we  obtain  T,j(t)  from  Eq.  (4),  Tj“b(t)  can 
be  computed  by: 
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TjUb(t)  =  (5) 

In  this  paper,  we  compare  Tfb(t)  with  the  “objective” 
trust  of  node  j,  denoted  by  T°bj(t),  calculated  based  on  ac¬ 
tual,  global  information  to  see  how  much  deviation  subjec¬ 
tive  trust  evaluation  is  from  objective  trust  evaluation. 
Specifically,  let  T°biX(t)  denote  the  “objective”  trust  of  node 
j  in  trust  component  X  at  time  t,  which  we  can  obtain  by  a 
mathematical  model  (see  Section  4).  Then,  following  Eq. 
(4),  T°bJ(t)  is  calculated  by: 

T°bj(t)  =  jyv*  X  T°bjJC(t)  (6) 

x 

By  means  of  a  novel  mathematical  model  describing 
node  behaviors  in  a  MANET,  we  can  calculate  the  objective 
trust  levels  of  all  nodes  in  the  system  based  on  actual  sta¬ 
tus  of  nodes.  This  serves  as  the  basis  for  identifying 
SQTrust  protocol  settings  for  minimizing  trust  bias  as  well 
as  for  validating  SQTrust  design. 


based  on  its  own  view  towards  node  j  as  an  indicator  to 
judge  if  node  j  satisfies  the  mission-specific  trust  require¬ 
ments  for  successful  mission  execution.  This  node  likes  to 
estimate  the  mission  success  probability  as  a  mission  reli¬ 
ability  metric  when  given  knowledge  regarding  the  mis¬ 
sion  failure  definition,  member  failure  definition  and 
mission  time.  Here  we  note  that  the  mission  reliability 
metric  is  measured  from  the  lead  node’s  perspective  and 
presumably  the  lead  node  is  not  a  malicious  node,  or  the 
mission  reliability  is  simply  zero. 

Let  R(t)  be  the  mission  reliability  given  that  the  mission 
time  is  t.  Then,  the  mission  success  probability,  denoted  by 
Pmission,  from  the  lead  node’s  perspective  is  simply  R(TR) 
when  the  lead  node  is  given  TR  as  the  mission  time,  i.e., 

P  mission  =  R(TR)  (7) 

The  mission  failure  definition  is  application  dependent. 
Assume  that  the  mission  fails  if  at  least  n  —  k  +  1  out  of  n 
members  (trustees)  fail.  Let  Rfit)  be  member  j’s  reliability 
at  time  t.  Let  J  be  a  set  of  members  with  range  [k,  n].  Then, 


3.4.  Trust  protocol  computational  and  communication 
overhead 


'I  >k\jej 


M 


(8) 


In  our  protocol  design,  a  trustor  node  (node  i)  performs 
direct  trust  update  periodically  in  every  At  interval  accord¬ 
ing  to  Eq.  (2).  Then  it  selects  nr  recommenders  among 
its  one-hop  neighbors  (if  any  exists)  and  requests  these 
recommenders  to  send  their  recommendations  through 
1-hop  communication  to  perform  indirect  trust  update 
according  to  Eq.  (3).  Lastly,  it  merges  direct  and  indirect 
trust  in  accordance  with  Eq.  (1)  to  update  its  trust  towards 
a  trustee  node  (node  j).  The  computational  and  communi¬ 
cation  complexity  of  SQTrust  is  therefore  0 (N  x  n,/At) 
where  N  is  the  number  of  nodes  in  the  MANET,  nr  is  the 
number  of  recommenders  for  indirect  trust  recommenda¬ 
tions  in  Eq.  (3),  and  At  is  the  trust  update  interval.  The 
communication  cost  is  normalized  with  respect  to  one- 
hop  communication  cost,  as  each  trustor  node  only  solicits 
1-hop  neighbors  to  provide  indirect  trust  recommenda¬ 
tions.  For  the  same  reason,  the  number  of  recommenders 
nr  also  is  substantially  smaller  than  N,  especially  the  rec¬ 
ommenders  must  satisfy  the  threshold-based  filtering  and 
relevance-based  trust  selection  criteria  proposed  in  our  pro¬ 
tocol  design.  The  computational  complexity  of  finding  the 
best  protocol  settings  in  response  to  dynamically  changing 
environments  is  0(1)  (see  Section  8  for  more  detail).  There¬ 
fore,  the  computational  and  communication  overhead  for 
executing  SQTrust  to  minimize  trust  bias  and  maximize 
application  performance  by  individual  nodes  is  at  most 
polynomial  in  N  and  very  manageable. 

3.5.  Mission-oriented  mobile  group  applications 

To  illustrate  our  application-level  trust  optimization  de¬ 
sign  concept,  we  consider  mission-oriented  mobile  groups 
as  an  application  of  SQTrust.  A  lead  node  (which  could  be 
any  behaving  node  in  the  system)  wants  to  assemble  and 
dynamically  manage  a  mobile  task  group  to  achieve  a  mis¬ 
sion  assigned  despite  failure,  disconnection  or  compromise 
of  member  nodes.  This  lead  node,  say  node  i,  can  use  Tifit) 


The  member  failure  definition,  on  the  other  hand,  hinges 
on  trustworthiness  of  each  individual  member.  Suppose 
there  are  two  trust  thresholds:  Mi  is  a  trust  threshold 
above  which  a  member  is  considered  completely  trustwor¬ 
thy  for  successful  mission  completion  and  M2  is  a  drop 
dead  trust  level  below  which  a  member  is  completely  not 
trustworthy.  Below  we  give  a  possible  definition  of  mem¬ 
ber  failure  based  on  dual  trust  thresholds,  Mj  and  M2,  de¬ 
fined  above. 

LetXj  (t)  be  the  instantaneous  trustworthiness  of  node  j  at 
time  t.  If  at  any  time  t,  node  j’s  trust  level  is  above  M i  then 
node  j  is  completely  trustworthy,  so  its  instantaneous  trust¬ 
worthiness  Xj(t)  is  1.  If  node  j’s  trust  level  is  below  M2  then 
node  j  is  completely  untrustworthy,  so  Xfit)  is  0.  If  node  j’s 
trust  level  is  in  between  M]  and  M2  then  node  j’s  instanta¬ 
neous  trustworthiness  is  calculated  as  the  ratio  of  its  trust 
level  to  Mi.  Specifically,  the  instantaneous  trustworthiness 
of  node  j  at  time  t  is  given  by: 


'  1,  if  Tifit)  >  Mi 

Xj(t )  =  <  0,  if  Tij(t)  <  M2 

Tij(t)/Mi ,  otherwise 


(9) 


The  lead  node,  node  i,  computes  member  j’s  reliability 
Rfit)  based  on  node  j’s  instantaneous  trustworthiness  over 
[0,  t].  If  at  any  time  t'  ^  t,Xj(t')  =  O.then  the  trust  level  of 
node  j  is  not  acceptable,  so  Rfit)  is  0;  otherwise,  Rfit)  is 
the  average  trust  value  of  node  j  over  [0,  t]  computed  by 
the  expected  value  ofXj(t'),  0  ^  t  <  t,  over  [0,  t].  Summariz¬ 
ing  above,  node  i  computes  member  j’s  reliability  Rfit)  by: 


J  0,  if  Xj(t')  =  0  for  any  t'  <  t 
\  E[Xj(t%  t  st  t,  otherwise 


(10) 


Here  Xfit)  is  the  instantaneous  trustworthiness  of  node 
j  at  time  t'  defined  by  Eq.  (9)  and  EIX/T)]  is  the  expected 
value  of  Xj(t'),0  ^  t'  ^  t,  over  [0,  t].  One  can  see  that  the 
knowledge  of  Tifit)  is  very  desirable  for  the  lead  node  to 
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compute  P mission  given  knowledge  regarding  the  mission 
execution  time,  member  failure  definition,  and  mission 
failure  definition. 


(  Location  ) 

T_LOCATION  T_JOIN  T_LEAVE 


4.  Analytical  model 

Our  analysis  methodology  is  model-based  and  hinges 
on  the  use  of  a  SPN  mathematical  model  to  probabilisti¬ 
cally  estimate  node  status  over  time,  given  an  anticipated 
operational  profile  as  input.  The  SPN  outputs  provide 
ground  truth  node  status  and  yield  “objective”  trust 
against  which  “subjective”  trust  obtained  through  protocol 
execution  can  be  compared  for  identifying  optimal  proto¬ 
col  settings  to  minimize  trust  bias  and  to  maximize  appli¬ 
cation  performance. 

4.1.  Node  SPN  for  modeling  node  behavior 

We  consider  a  square-shaped  operational  area  consist¬ 
ing  of  M  x  M  regions  each  with  the  width  and  height  equal 
to  radio  radius  R.  The  node  mobility  model  is  specified  as 
part  of  the  operational  profile.  Fig.  1  illustrates  3  nodes 
moving  in  a  6  x  6  regions.  The  regions  are  given  location 
identifiers  from  1  to  36  in  top-bottom  and  then  left-right 
order,  as  illustrated  in  Fig.  1.  To  avoid  end-effects,  move¬ 
ment  is  wrapped  around  (i.e.,  a  torus  is  assumed).  Two 
nodes  are  within  1-hop  if  there  are  in  the  same  region  or 
in  neighbor  regions. 

Fig.  2  shows  the  “node”  SPN  model  developed  for 
describing  the  lifetime  behavior  of  a  mobile  node  in  the 
presence  of  other  uncooperative  and  malicious  nodes  in  a 
mobile  group  following  the  input  operational  profile.  The 
system  SPN  model  consists  of  N  node  SPN  models  where 
1 V  is  the  number  of  nodes  in  the  system.  We  utilize  the 
node  SPN  model  to  obtain  a  single  node’s  information 
(e.g.,  intimacy,  healthiness,  energy,  and  cooperativeness) 
and  to  derive  its  trust  relationships  with  other  nodes  in 
the  system.  It  also  captures  location  information  of  a  node 
as  a  function  of  time. 

The  reason  of  using  node  SPN  models  is  to  yield  a  prob¬ 
ability  model  (a  semi-Markov  chain  [30,36])  to  model 
the  stochastic  behavior  of  nodes  in  the  system,  given  the 
system’s  anticipated  operational  profile  as  input.  The 


1 

7 

19 

25 

31 

2 

8 

20 

A 

3 

'C: 

tis£_ 

1 

CJ  / 

Cj»] 

4 

10 

j 

22 

28 

5 

a- 

23 

29 

6 

12 

18 

24 

30 

36 

Fig.  1.  Nodes  moving  in  a  6  x  6  grid  based  on  their  operational  profiles. 
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Fig.  2.  Node  SPN  model. 


theoretical  analysis  yields  objective  trust  based  on  ground 
truth  of  node  status,  against  which  subjective  trust  as  a  re¬ 
sult  of  executing  our  proposed  trust  protocol  is  compared. 
This  provides  the  theoretical  foundation  that  subjective 
trust  (from  protocol  execution)  is  accurate  compared  with 
ground  truth. 

The  underlying  semi-Markov  chain  [30,36]  has  a  state 
representation  comprising  “places”  in  the  SPN  model.  A 
node’s  status  is  indicated  by  a  5-component  state  repre¬ 
sentation  ( Location ,  Member,  Energy,  CN,  UNCOOP )  with 
“ Location ”  (an  integer)  indicating  the  current  region  the 
node  resides,  “Member"  (a  Boolean  variable)  indicating  if 
the  node  is  a  member,  “Energy"  (an  integer)  indicating 
the  current  energy  level,  “CN”  (a  boolean  variable)  indicat¬ 
ing  if  the  node  is  compromised,  and  “ UNCOOP ”  (a  boolean 
variable)  indicating  if  the  node  is  cooperative.  For  example, 
place  Location  is  a  state  component  whose  value  is  indi¬ 
cated  by  the  number  of  "tokens"  in  place  Location.  A  state 
transition  happens  in  the  semi-Markov  chain  when  a  move 
event  occurs  with  the  event  occurrence  time  interval  fol¬ 
lowing  a  probabilistic  time  distribution  such  as  exponen¬ 
tial,  Weibull,  Pareto,  and  hyper-exponential  distributions. 
This  is  modeled  by  a  “transition”  with  the  corresponding 
firing  time  in  the  SPN  model.  For  example,  when  the  node 
moves  across  a  regional  boundary  after  its  residence  time 
in  the  previous  region  elapses,  transition  T_L0CAT10N  will 
be  triggered,  thus  resulting  in  a  location  change.  This  is  re¬ 
flected  by  flushing  all  the  tokens  in  place  Location  and 
replacing  by  a  number  of  tokens  corresponding  to  the  id 
of  the  new  region  it  moves  into.  After  the  move,  the  value 
of  “Location"  will  be  the  id  of  the  new  region  it  moves  into. 
For  example  in  Fig.  1  after  user  1  (in  green  color)  moves 
from  region  17  to  region  11,  place  Location  will  flush  out 
17  tokens  originally  there  and  hold  11  tokens  afterward. 
Thus  the  three  primary  entities,  i.e.,  places,  tokens,  and 
transitions,  allow  the  node  SPN  model  to  be  constructed 
to  describe  a  node’s  lifetime  behavior  dynamically  as  time 
evolves.  Below  we  explain  how  we  construct  the  node  SPN 
model. 

4.2.  Location 

Transition  T_L0CAT10N  is  triggered  when  the  node 
moves  to  another  region  from  its  current  location  with 
the  rate  calculated  as  Smit/R  (i.e.,  the  node’s  mobility  rate) 
based  on  an  initial  speed  (Sinit)  and  wireless  radio  range 
( R ).  Depending  on  the  location  a  node  moves  into,  the 
number  of  tokens  in  place  Location  is  adjusted.  Initially 
nodes  are  randomly  distributed  over  the  operational  area 
based  on  uniform  distribution.  Suppose  that  nodes  move 
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randomly.  Then  a  node  randomly  moves  to  one  of  four 
locations  in  four  directions  (i.e.,  north,  west,  south,  and 
east)  in  accordance  with  its  mobility  rate.  The  underlying 
semi-Markov  model  of  the  node  SPN  model  when  solved 
utilizing  solution  techniques  such  as  SOR,  Gauss  Seidel, 
or  Uniformization  36]  gives  the  probability  that  a  node 
is  at  a  particular  location  at  time  t,  e.g.,  the  probability  that 
node  i  is  located  in  region  j  at  time  t.  This  information 
along  with  the  location  information  of  other  nodes  at  time 
t  provides  global  information  if  two  nodes  are  1-hop  neigh¬ 
bors  at  time  t. 

4.3.  Intimacy 

Intimacy  trust  is  an  aggregation  of  direct  interaction 
experience  (Tfjrect’int'macj'(t))  and  indirect  interaction  experi¬ 
ence  (7“' intimacy^  0ut  of  these  tw0>  on[y  new  djrect 

interaction  experience  (T*rert  inHm0CJ,(t)  via  Tj:hop'intimacy (t))  is 
calculated  based  on  if  two  nodes  are  1-hop  neighbors 
interacting  with  each  other  via  packet  forwarding  and 
routing.  Since  the  node  SPN  model  gives  us  the  probability 
that  a  node  is  in  a  particular  location  at  time  t,  we  can 
objectively  compute  direct  interaction  experience 
Ti-hoPr intimacy (see  Eq  (2)  based  on  the  probability  of  nodes 

i  and  j  are  in  the  same  location  at  time  t  from  the  output  of 
the  two  SPN  models  associated  with  nodes  i  and  j. 

4.4.  Energy 

Place  Energy  represents  the  current  energy  level  of  a 
node.  An  initial  energy  level  of  each  node  is  assigned  differ¬ 
ently  to  reflect  node  heterogeneity.  We  randomly  generate 
a  number  between  12  and  24  h  based  on  uniform  distribu¬ 
tion,  representing  a  node’s  initial  energy  level  Einit.  Then  we 
put  a  number  of  tokens  in  place  Energy  corresponding  to 
this  initial  energy  level.  A  token  is  taken  out  when  transi¬ 
tion  T_ENERGY  fires.  The  transition  rate  of  T_ENERGY  is  ad¬ 
justed  on  the  fly  based  on  a  node’s  state:  it  is  lower  when  a 
node  becomes  uncooperative  to  save  energy  and  is  higher 
when  the  node  becomes  compromised  so  that  it  performs 
attacks  more  (assuming  persistent  attack  behavior)  and 
consumes  energy  more.  Therefore,  depending  on  the  node’s 
status,  its  energy  consumption  is  dynamically  changed. 

4.5.  Healthiness 

A  node  is  compromised  when  transition  T_COMPRO 
fires.  The  rate  to  transition  T_COMPRO  is  Acom  as  the  node 
compromising  rate  (or  the  capture  rate)  reflecting  the  hos¬ 
tility  of  the  application.  If  the  node  is  compromised,  a  to¬ 
ken  goes  to  CN,  meaning  that  the  node  is  already 
compromised  and  may  perform  good-mouthing  and  bad- 
mouthing  attacks  as  a  recommender  by  good-mouthing  a 
bad  node  with  a  high  trust  recommendation  and  bad- 
mouthing  a  good  node  with  a  low  trust  recommendation. 

4.6.  Cooperativeness 

Place  UNCOOP  represents  whether  a  node  is  cooperative 
or  not.  If  a  node  becomes  uncooperative,  a  token  goes  to 


UNCOOP  by  triggering  TJJNCOOP.  We  model  a  node’s 
uncooperativeness  behavior  following  the  ‘node  behavior’ 
model  discussed  in  Section  3.  Specifically,  the  rate  to  tran¬ 
sition  TJJNCOOP  is  modeled  as  a  function  of  its  remaining 
energy,  the  mission  difficulty,  and  the  neighborhood  unco¬ 
operativeness  degree  as  follows: 

ratC(T  UNCOOP)  =  ^e^remain^m^diH‘cuIty)fs(^degree)  /|-JN 

Tgc 

where  Eremain  represents  the  node’s  current  energy  level  as 
given  in  mark{Energy),  MdiffiCuity  is  the  difficulty  level  of  the 
given  mission,  Sdegree  is  the  degree  of  uncooperativeness 
computed  based  on  the  ratio  of  uncooperative  nodes  to 
cooperative  nodes  among  1-hop  neighbors  and  Tgc  is  the 
group  communication  interval  over  which  a  node  may  de¬ 
cide  to  become  uncooperative  in  protocol  execution  and 
drop  packets.  We  adopt  the  demand-pricing  relationship 
in  Economics  theory  [4,51,52]  in  the  form  off[x)  =  rxx~e 
with/(x)  being  the  demand  and  x  being  the  pricing  to  mod¬ 
el  the  relationship  between  node  uncooperativeness  (J{x)) 
vs.  Eremain.  M difficulty  or  Sdegree  (*)•  In  Economics  theory  with 
f[x)  =  ax~£  and  e  >  1,  lower  pricing  would  stimulate  higher 
demand,  and  conversely  high  pricing  would  suppress  de¬ 
mand.  In  a  mission-oriented  mobile  group  in  which  suc¬ 
cessful  mission  execution  is  the  ultimate  goal  for 
performance  evaluation,  we  draw  the  following  analogues 
to  model  a  node’s  uncooperative  behavior: 

•  /e(Eremam):  Low  energy  would  stimulate  uncooperative¬ 
ness.  Every  node  conserves  its  energy  as  long  as  it  does 
not  jeopardize  the  global  welfare  (i.e.,  successful  mis¬ 
sion  execution).  That  is,  when  a  nod’s  energy  is  low  it 
tends  to  conserve  its  energy  so  as  to  best  serve  the  mis¬ 
sion,  so  it  tends  to  be  uncooperative.  This  is  to  consider 
a  node's  individual  utility  in  resource-constrained 
environments. 

•  /m(M difficulty)'  High  mission  difficulty  would  suppress 
uncooperativeness.  That  is,  if  a  node  is  assigned  to  a 
more  difficult  mission,  it  tends  to  be  less  uncooperative 
(or  more  cooperative)  to  ensure  successful  mission 
execution. 

•  /s(Sdegree):  High  Sdegree  would  suppress  uncooperative¬ 
ness.  That  is,  if  a  node’s  1-hop  neighbors  are  not  very 
cooperative,  the  node  tends  to  less  uncooperative  (or 
more  cooperative)  in  order  to  complete  a  given  mission 
successfully. 

A  compromised  node  is  necessarily  uncooperative  as  it 
will  not  follow  the  protocol  execution  rules.  So  if  place 
CN  contains  a  token,  place  UNCOOP  will  also  contain  a 
token. 

4.7.  Obtaining  objective  trust  for  validating  SQTrust  protocol 
design 

With  the  node  behaviors  modeled  by  a  probability 
model  (a  semi-Markov  chain)  described  above,  the  objec¬ 
tive  trust  evaluation  of  node  j  in  trust  component  X,  i.e., 
T°bi*{t),  can  be  obtained  based  on  exact  global  knowledge 
about  node  j  as  modeled  by  its  node  SPN  model  that 
has  met  the  convergence  condition  with  the  location 
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information  supplied.  To  calculate  each  of  these  objective 
trust  probabilities  of  node  j,  one  would  assign  a  reward 
of  rs  with  state  s  of  the  underlying  semi-Markov  chain  of 
the  SPN  model  to  obtain  the  probability  weighed  average 
reward  as: 

=  £(rs  *  Ps(t))  (12) 

seS 

for  X  =  healthiness,  energy  or  cooperativeness,  and  as: 

_  ft-dAt  X^sgstTs  *  Ps{t))dt  (13) 

forX  =  intimacy.  The  reason  we  use  a  different  equation  for 
X  =  intimacy  is  that  in  the  node  SPN  model,  there  is  no 
place  holder  modeling  intimacy  directly.  Here  S  indicates 
the  set  of  states  in  the  underlying  semi-Markov  chain  of 
our  SPN  model,  rs  is  the  reward  assigned  to  state  s,  and 
Ps(t)  is  the  probability  that  the  system  is  in  state  s  at  time 
t,  which  can  be  obtained  by  solving  the  underlying  semi- 
Markov  model  of  our  SPN  model  utilizing  solution  tech¬ 
niques  such  as  SOR,  Gauss  Seidel,  or  Uniformization  [36], 
Table  1  summarizes  specific  reward  assignments  used  to 
calculate  T°bj'x(t)  for  X  =  intimacy,  healthiness,  energy,  or 
cooperativeness.  In  Table  1,  Er  is  the  energy  threshold  be¬ 
low  which  the  energy  trust  toward  a  node  goes  to  0.  Once 
T°biX(t)  is  obtained,  we  compute  the  average  objective  trust 
value  of  node  j,  T°bi(t),  based  on  Eq.  (6).  It  is  compared  with 
average  subjective  trust  of  node  j,  T-Ub(t).  defined  in  Eq.  (5) 
to  compute  trust  bias  obtained  to  validate  our  trust  aggre¬ 
gation  protocol  design. 

Here  we  note  that  in  Table  1  we  assign  a  binary  trust  va¬ 
lue  of  0  or  1  to  a  state  in  which  it  is  clear  in  this  particular 
state  the  trust  value  is  either  0  or  1.  Since  the  system 
evolves  over  time  and  there  is  a  probability  that  it  may  stay 
at  any  state  at  time  t  with  all  state  probabilities  sum  to  1, 
the  expected  value  of  a  trust  property  (intimacy,  healthi¬ 
ness,  energy  or  cooperativeness)  at  time  t  based  on  a 
state-probability-weighted  trust  calculation  is  a  real  num¬ 
ber  between  0  and  1. 

5.  Analytical  results 

5.1.  Operational  profile  as  input 

Table  2  lists  the  parameter  set  and  their  default  values 
specifying  the  operational  profile  given  as  input  for  testing 
SQTrust  for  a  mobile  group  application  in  MANET  environ¬ 
ments.  We  populate  a  MANET  with  n  =  150  nodes  moving 
randomly  with  speed  Sinit  in  the  range  of  (0,2] m/s  in  a 
6x6  operational  region  in  a  1250  m  x  1250  m  area,  with 


each  region  covering  R  =  250  m  radio  radius.  The  environ¬ 
ment  being  considered  is  assumed  hostile  and  insecure 
with  the  average  compromising  rate  2com  set  to  once  per 
18  h.  Each  node’s  energy  is  in  the  range  of  [12,24]  h.  Fur¬ 
ther  each  node  observes  the  node  behavior  model  as  spec¬ 
ified  in  Sections  3.3  and  4.1  with  £  =  1.2,  a  =  0.8  and 
Tgc=  120  s.  Initially  all  nodes  are  not  compromised.  When 
a  node  turns  malicious,  it  performs  good-mouthing  and 
bad-mouthing  attacks,  i.e.,  it  will  provide  the  most  positive 
recommendation  (that  is,  1 )  toward  a  bad  node  to  facilitate 
collusion,  and  conversely  the  most  negative  recommenda¬ 
tion  (that  is,  0)  toward  a  good  node  to  ruin  the  reputation 
of  the  good  node.  The  initial  trust  level  is  set  to  1  for 
healthiness,  energy  and  cooperativeness  because  all  nodes 
are  considered  trustworthy  initially.  The  initial  trust  level 
of  intimacy  is  set  to  the  probability  that  a  node  is  found 
to  be  in  a  5-region  neighbor  area  relative  to  6  x  6  regions 
(as  illustrated  in  Fig.  1)  in  accordance  with  the  intimacy 
definition. 

Given  this  operational  profile  as  input  to  the  mobile 
group  application,  we  aim  to  identify  the  best  setting  of 
Pi'-fc  (with  higher  meaning  more  direct  observations 
or  self-information  being  used  for  subjective  trust  evalua¬ 
tion)  under  which  subjective  trust  is  closest  to  objective 
trust.  We  also  aim  to  identify  the  best  setting  of 
wi:w2:w3:w4  (the  weight  ratio  for  the  4  trust  components 
considered),  and  Mi  and  M2  (the  minimum  trust  level  and 
drop-dead  trust  level)  under  which  the  application  perfor¬ 
mance  is  maximized.  For  trust  protocol  execution,  we  set 
the  decay  coefficient  =  0.001,  and  the  trust  evaluation 
interval  At  =  20  min,  resulting  in  e~ldt  =  0.98  to  model 
small  trust  decay  over  time.  Also  the  minimum  recom- 
mender  threshold  Tx  is  set  to  0.6,  the  trust  evaluation  win¬ 
dow  size  d  is  set  to  2,  and  the  minimum  energy  trust 
threshold  ET  is  set  to  0. 

5.2.  Identifying  best  trust  aggregation  protocol  settings  to 
minimize  trust  bias 

Fig.  3  shows  the  node’s  overall  trust  values  obtained 
from  subjective  trust  evaluation  vs.  objective  trust  evalua¬ 
tion,  i.e.,  TjUb(t)  vs.  T°bi(t),  for  the  equal-weight  ratio  case 
as  a  function  of  time,  with  varying  from  0. 6:0.4 

(60%  direct  evaluation:40%  indirect  evaluation)  to  0. 9:0.1 
(90%  direct  evaluation:  10%  indirect  evaluation).  The  10% 
increment  in  /fi  allows  us  to  identify  the  best  ratio 
under  which  subjective  trust  is  closest  to  objective  trust. 
We  see  that  subjective  trust  evaluation  results  are  closer 
and  closer  to  objective  trust  evaluation  results  (and  thus 
smaller  trust  bias)  as  we  use  more  conservative  direct 


Table  1 

Reward  assignments  for  objective  trust  evaluation. 


Component  trust  probability  toward  node  j 


j-obj ,  intimacy  ^  ^ 
j-obj ,  healthiness  ^  ^ 

■j^obj  .energy 

•joty , cooperativeness  ^  ^ 


rs:  Reward  assignment  to  state  s 

1  if  markf  slocation)  is  within  a  5-region  neighbor  area  at  time  t;  0  otherwise 
1  if  ( markij'sCN )  =  0);  0  otherwise 
1  if  (marktf  sEnergy)  >  ET);  0  otherwise 
1  if  (markf's  UNCOOP)  =  0) ;  0  otherwise 
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Table  2 

Operational  profile  for  a  mobile  group  application. 


Parameter 

Value 

Parameter 

Value 

#  of  Regions 

6x6 

R 

250  m 

Area 

1250  m  x  1250  m 

Einit 

[12,  24]  h 

Sinit 

(0,  2]  m/s. 

E 

1.2 

1  /  h com 

18  h 

a 

0.8 

Tgc 

120  s 

pH  pH 

0.5% 

objective  trust 

subjective  trust  -  90%  direct  evaluation 
subjective  trust  -  80%  direct  evaluation 
subjective  trust  -  70%  direct  evaluation 
subjective  trust  -  60%  direct  evaluation 


time  (min.) 


Fig.  3.  Overall  trust  evaluation:  subjective  trust  is  most  accurate  when 
using  85%  direct  trust  evaluation  {/Sc-h  =  0.85:0.15). 


observations  or  self-information  for  subjective  trust  evalu¬ 
ation.  However,  there  is  a  cutoff  point  (at  about  85%)  after 
which  subjective  trust  evaluation  overshoots.  This  implies 
that  using  too  much  direct  observations  for  subjective  trust 
evaluation  could  overestimate  trust  because  there  is  little 
chance  for  a  node  to  use  indirect  observations  from  trust¬ 
worthy  recommenders.  Our  analysis  allows  such  a  cutoff 
point  to  be  determined  given  design  considerations 
regarding  trust  decay  over  time  (e~idt  =  0.98  for  direct 
trust  decay  in  our  case  study). 


5.3.  Identifying  best  trust  formation  setting  to  maximize 
application  performance 

We  consider  a  mission-oriented  mobile  group  applica¬ 
tion  scenario  in  which  a  lead  node,  say  node  i,  dynamically 
selects  n  nodes  (n  =  5  in  the  case  study)  which  it  trusts 
most  out  of  active  mobile  group  members  for  mission  exe¬ 
cution.  We  consider  dynamic  team  membership  such  that 
after  each  trust  evaluation  window  At  the  lead  will  rese¬ 
lect  its  most  trusted  nodes  composing  the  team  for  mission 
executions  based  on  its  peer-to-peer  subjective  evaluation 
values  fft)  toward  nodes  j's  as  calculated  from  Eq.  (4).  The 
rationale  behind  dynamic  membership  is  that  the  lead  may 
exercise  its  best  judgment  to  select  n  most  trusted  nodes  to 
increase  the  probability  of  successful  mission  execution. 
Assume  that  all  n  nodes  selected  at  time  t  are  critical  for 
mission  execution  during  [t,  t  +  At]  so  that  if  any  one  node 
selected  fails,  the  mission  fails.  We  can  then  apply  Eqs.  (7) 
and  (8)  to  compute  Pm!SSIon  over  an  interval  [t,  t  +  At].  Since 
all  time  intervals  are  connected  in  a  series  structure,  PmiSSion 
over  the  overall  mission  period  [0,Tk]  can  be  computed  by 


the  product  of  individual  Pm,SSjon’s  over  intervals  [0,  At], 
[At,2At] . [TP  —  At,  TR], 

Fig.  4  shows  the  mission  success  probability  PmiSSion  as  a 
function  of  mission  completion  deadline  TR.  To  examine 
the  effect  of  wi:w2:w3:w4  (the  weight  ratio  for  the  4  trust 
components  considered  in  this  paper),  we  consider  5  test 
cases:  (a)  equal-weight,  (b)  social  trust  only,  (c)  QoS  trust 
only,  (d)  more  social  trust,  and  (e)  more  QoS  trust  as  listed 
in  Table  3  with  (Mi,  M2)  set  to  (0.85,  0.55)  to  isolate  its 
effect. 

For  all  test  cases  we  see  that  as  TR  increases,  the  mission 
success  probability  decreases  because  a  longer  mission 
execution  time  increases  the  probability  of  low-trust  nodes 
(whose  population  increases  over  time  because  of  cooper¬ 
ativeness  or  healthiness  trust  decay)  becoming  members 
of  the  team  for  mission  execution.  For  comparison,  the 
mission  success  probability  Pmiss!on  based  on  objective  trust 
evaluation  results  is  also  shown,  representing  the  ideal 
case  in  which  node  i  has  global  knowledge  of  status  of  all 
other  nodes  in  the  system  and  therefore  it  always  picks  n 
truly  most  trustworthy  nodes  in  every  At  interval  for  mis¬ 
sion  execution.  For  each  case,  we  also  show  the  optimal 
/h:/S2  ratio  (with  higher  /h  meaning  more  direct  observa¬ 
tions  or  self-information  being  used  for  subjective  trust 
evaluation)  at  which  PmiSSwn  obtained  based  on  subjective 
trust  evaluation  results  is  virtually  identical  to  PmiSSion  ob¬ 
tained  based  on  objective  trust  evaluations. 

We  observe  that  as  more  social  trust  is  being  used  for 
subjective  trust  evaluation,  the  optimal  /h : [l2  ratio  in¬ 
creases,  suggesting  that  social  trust  evaluation  is  very  sub¬ 
jective  in  nature  and  a  node  would  rather  trust  its  own 
interaction  experiences  more  than  recommendations 
provided  from  other  peers,  especially  in  the  presence  of 
malicious  nodes  that  can  perform  good-mouthing  and 
bad-mouthing  attacks.  Also  again  we  observe  that 
while  using  more  conservative  direct  observations  or 
self-information  for  subjective  trust  evaluation  in  general 
helps  in  bringing  subjective  Pmission  closer  to  objective 
Pmission,  there  is  a  cutoff  point  after  which  subjective  trust 
evaluation  overshoots. 

In  summary  Fig.  4  demonstrates  the  effectiveness  of 
SQTrust.  When  given  an  operational  profile  characterized 
by  a  set  of  model  parameter  values  defined  in  Table  2, 
the  analysis  methodology  developed  in  this  paper  helps 
identify  the  best  weight  of  direct  observations  vs.  indirect 
recommendations  (i.e.,  /h:/J2)  to  be  used  for  subjective 
trust  evaluation,  so  that  SQTrust  can  be  fine-tuned  to  yield 
results  virtually  identical  to  those  by  objective  trust  evalu¬ 
ation  based  on  actual  knowledge  of  node  status. 

In  Fig.  5  we  compare  Pmission  vs.  TR  for  the  mission  group 
under  various  wi:w2:w3:w4  ratios,  with  each  operating  at 
its  best  [f :  fi2  ratio  identified  so  that  in  each  test  case  sub¬ 
jective  Pmission  is  virtually  the  same  as  objective  PmiSSion ■  We 
see  that  “social  trust  only”  produces  the  highest  system 
reliability,  while  “QoS  trust  only”  has  the  lowest  system 
reliability  among  all,  suggesting  that  in  this  case  study  so¬ 
cial  trust  metrics  used  (intimacy  and  healthiness)  are  able 
to  yield  higher  trust  values  than  those  of  QoS  trust  metrics 
used  (energy  and  cooperativeness).  Certainly,  this  result 
should  not  be  construed  as  universal.  When  given  an 
operational  profiles  input,  the  model-based  analysis 
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Legend: 

♦  objective  Pmission 

- subjective  Pmission  -  optimal  %  direct  evaluation 

— • — subjective  Pmission  -  90%  direct  evaluation 
— * — subjective  Pmission  -  80%  direct  evaluation 
— * — subjective  Pmission  -  70%  direct  evaluation 
— * — subjective  Pmission  -  60%  direct  evaluation 


0.1  T - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 

0  60  120  180  240  300 

TR  -  mission  completion  deadline  (min.) 

(b)  Social  Trust  Only. 


TR  -  mission  completion  deadline  (min.) 

(d)  More  Social  Trust. 


TR  -  mission  completion  deadline  (min.) 

(a)  Equal- Weight. 


(c)  QoS  Trust  Only. 


(e)  More  QoS  Trust. 


Fig.  4.  Mission  success  probability:  subjective  vs.  objective  evaluation. 


Table  3 

Weight  ratio  for  trust  components. 


Test  case 

Weight  ratio 

Equal-weight 

W!:w2:w3:w4  =  0.25:0.25:0.25:0.25 

Social  trust  only 

W!:w2:w3:w4  =  0.5:0.5:0:0 

QoS  trust  only 

w!:w2:w3:w4  =  0:0:0.5:0.5 

More  social  trust 

w!:w2:w3:w4  =  0.35:0.35:0.15:0.15 

More  QoS  trust 

w!:w2:w3:w4  =  0.15:0.15:0.35:0.35 

methodology  developed  in  this  paper  helps  identify  the 
best  w1:w2:w3:w4  weight  ratio  to  maximize  the  system 
reliability. 

We  analyze  the  effect  of  mission  trust  thresholds  Mi 
(the  minimum  trust  level  required  for  successful  mission 
completion)  and  M2  (the  drop  dead  trust  level).  Figs.  5 
and  6  show  Pmission  vs.  TR  for  the  system  operating  under 
best  /fi:/?2  settings  in  the  equal-weight  case  for  each  (Mi, 
M2)  combination.  Recall  that  Mt  and  M2  are  the  high  and 
low  trust  thresholds  to  determine  if  a  node  is  trustworthy 
for  mission  execution.  From  Fig.  6,  we  see  that  as  M]  in¬ 
creases,  the  system  reliability  decreases  because  there  is 
a  smaller  chance  for  a  node  to  satisfy  the  high  threshold 
for  it  to  be  completely  trustworthy  for  mission  execution. 
Similarly  from  Fig.  7,  we  see  that  as  M2  increases,  the 


(wl:w2:w3:w4=0.5:0.5:0:0)  -  social  trust  only 

(wl:w2:w3:w4=0. 35:0.35:0.15:0. 15)  -  more  social  trust 
(wl:w2:w3:w4=0. 25:0.25:0.25:0. 25)  -  equal  weight  trust 
(wl:w2:w3:w4=0. 15:0.15:0.35:0. 35)  -  more  QoS  trust 
(wl:w2:w3:w4=0:0:0.5:0.5)  -  QoS  trust  only 


Fig.  5.  Effect  of  w1:w2:w3:w4  on  mission  success  probability:  using  more 
social  trust  increases  mission  success  probability. 


system  reliability  decreases  because  there  is  a  higher 
chance  for  a  node  to  be  completely  untrustworthy  for  mis¬ 
sion  execution.  We  also  observe  that  the  reliability  is  more 
sensitive  to  Mi  than  M2.  A  system  designer  can  set  proper 
M]  and  M2  values  based  on  the  mission  context  such  as 
the  degree  of  difficulty  and  mission  completion  deadline, 
utilizing  the  model-based  methodology  developed  in  the 
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♦  Ml  =  0.60,  M2  =  0.55  (88%  direct  evaluation) 

— * —  Ml  =  0.70,  M2  =  0.55  (86%  direct  evaluation) 

)K  Ml  =  0.80,  M2  =  0.55  (84%  direct  evaluation) 

Ml  =  0.90,  M2  =  0.55  (83%  direct  evaluation) 

Ml  =  1.00,  M2  =  0.55  (82%  direct  evaluation) 


Fig.  6.  Effect  of  Mi  on  mission  success  probability:  using  higher  Mi 
(minimum  trust  level)  decreases  mission  success  probability. 

paper  to  analyze  the  effect  of  M]  and  M2  so  as  to  improve 
the  system  reliability. 

6.  Simulation  validation 

We  validate  SQJrust  and  its  application  to  mobile  group 
reliability  assessment  through  extensive  simulation  using 
ns-3  [22].  The  simulated  MANET  environment  is  setup  as 
described  in  Table  2.  The  network  consists  of  150  nodes 
following  the  random  waypoint  mobility  model  in  a 
1500  m  x  1500  m  operational  area,  with  the  speed  in  the 
range  of  (0,  2]  m/s  and  pause  time  of  zero.  The  initial  node 
energy  is  in  the  range  of  [40,  80]  joules,  corresponding  to 
[12,24]  h  of  operational  time  in  normal  status.  A  node 
may  be  compromised  with  a  per-node  capture  rate  of  Acom. 
As  time  progresses,  a  node  may  become  uncooperative,  the 
rate  of  which  is  implemented  according  to  Eq.  (10).  When  a 
node  becomes  uncooperative,  it  would  not  follow  protocol 
execution  and  will  drop  packets  to  save  energy.  A  compro¬ 
mised  node  will  also  drop  packets.  In  addition,  it  will  per¬ 
form  bogus  message  attacks,  as  well  as  good-mouthing  and 
bad-mouthing  attacks.  All  nodes  execute  SQJrust  as  de¬ 
scribed  in  Section  3  to  perform  subjective  trust  evaluation. 

We  collect  simulation  data  to  validate  analytical  results 
reported  earlier.  Due  to  space  limitation,  we  only  report 
two  figures.  Fig.  8  shows  the  simulation  results  for  the 
overall  subjective  trust  obtained  under  the  equal-weight 

♦  Ml  =  0.95,  M2  =  0.50  (83%  direct  evaluation) 

A  Ml  =  0.95,  M2  =  0.60  (82%  direct  evaluation) 

X  Ml  =  0.95,  M2  =  0.70  (82%  direct  evaluation) 


Fig.  7.  Effect  of  M2  on  mission  success  probability:  using  higher  M2  (drop 
dead  trust  level)  decreases  mission  success  probability. 


case,  corresponding  to  Fig.  3  obtained  earlier  from  theoret¬ 
ical  analysis.  As  in  Fig.  3,  we  simulate  7  cases  with  Pi'.fc 
varying  from  0. 6:0.4  to  0. 9:0.1.  For  each  case,  we  collect 
observations  from  sufficient  simulation  runs  with  disjoint 
random  number  streams  to  achieve  ±  5%  accuracy  level 
with  95%  confidence.  The  simulation  results  in  Fig.  8  are 
remarkably  similar  to  the  analytical  results  shown  in 
Fig.  3,  with  the  average  mean  square  error  (MSE)  between 
the  simulation  results  vs.  the  analytical  results  less  than 
5%. 

Fig.  9  shows  the  simulation  results  for  the  effect  of 
wi:w2:w3:w4  on  mission  success  probability  Pm/ssion.  corre¬ 
sponding  to  Fig.  5  obtained  earlier  from  analytical  calcula¬ 
tions.  As  in  Fig.  5,  we  simulate  5  cases  for  the  wi:w2:w3:w4 
weight  ratio  (see  Table  3).  We  observe  that  Fig.  9  is  virtu¬ 
ally  identical  to  Fig.  5  in  shape  exhibiting  the  same  trend 
that  using  more  social  trust  would  yield  higher  system  reli¬ 
ability.  The  MSE  is  remarkably  small  (less  than  0.03%)  for 
all  cases.  We  conclude  that  our  analytical  results  reported 
in  Figs.  3-7  are  accurate  and  valid. 

7.  Related  work 

In  this  section,  we  survey  recently  proposed  trust  man¬ 
agement  protocols  for  MANETs.  We  contrast  and  compare 
our  work  with  existing  work  so  as  to  differentiate  our  work 
from  existing  work  and  identity  unique  features  and  con¬ 
tributions  of  our  trust  protocol  design  for  MANETs.  We  dis¬ 
cuss  related  work  in  three  areas:  trust  management 
framework,  trust  metrics,  and  trust  resiliency  and  accuracy. 

7.1.  Trust  management  framework 

Michiardi  and  Molva  [60]  proposed  a  collaborative  rep¬ 
utation  mechanism  to  enforce  node  cooperation  (CORE)  in 
MANETs.  The  CORE  scheme  relies  on  two  key  designs:  a 
reputation  table  stored  by  each  node  to  maintain  the  rep¬ 
utation  toward  others  and  a  watchdog  mechanism  for 
detecting  cooperative  behavior.  The  reputation  table  com¬ 
bines  the  reputation  from  both  direct  observations  ob¬ 
tained  from  the  watchdog  and  indirect  recommendations 
from  other  nodes.  Buchegger  and  Boudec  [57  proposed 
CONFIDANT  and  applied  it  to  dynamic  source  routing  in 
MANETs.  They  used  a  neighborhood  watch  (similar  to  the 
watchdog  mechanism  in  CORE)  to  detect  non-compliant 

—  — ♦  —  -  objective  trust  -  ±0.0412,  MSE=0.05% 

—  —  »  —  -  subjective  trust  (90%  direct  evaluation)  -  ±0.0399,  MSE=0.04% 

—  —  A“-  subjective  trust  (80%  direct  evaluation)  -  ±0.0429,  MSE=0.02% 

— — H  —  -  subjective  trust  (70%  direct  evaluation)  -  ±0.0450,  MSE=0.11% 

— — -  subjective  trust  (60%  direct  evaluation)  -  ±0.0463,  MSE=0.66% 


0  H - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 

0  20  40  60  80  100  120  140  160  180  200  220  240  260  280  300 

time  (min.) 


Fig.  8.  Simulation  results  of  overall  trust  corresponding  to  Fig.  3. 
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—  —  *  —  -  social  trust  only  -  ±0.0004,  MSE=0.03% 
— — H  —  -  more  social  trust  -  ±0.0004,  MSE=0.01% 

—  — ♦  —  -  equal  weight  trust  -  ±0.0004,  MSE=0.02% 

more  QoS  trust  -±0.0005,  MSE=0.01% 

—  —  *  —  -  QoS  trust  only  -  ±0.0006,  MSE=0.01% 


Fig.  9.  Simulation  results  of  reliability  assessment  corresponding  to 

Fig.  5. 

behaviors  of  neighboring  nodes.  Once  a  node  detects  mali¬ 
cious  evidence,  it  sends  an  alarm  message  to  others  to 
propagate  the  evidence.  Theodorakopoulos  and  Baras  [35] 
modeled  the  trust  evaluation  process  in  MANETs  as  a  path 
finding  problem  on  a  directed  graph,  where  nodes  repre¬ 
sent  entities  and  edges  represent  trust  relations.  Using 
the  theory  of  semirings  on  an  established  direct  graph, 
two  nodes  without  previous  direct  interaction  can  estab¬ 
lish  indirect  trust  relation.  Sun  et  al.  [34]  presented  an 
information  theoretic  framework  for  modeling  trust  prop¬ 
agation  and  aggregation  in  ad  hoc  networks.  The  frame¬ 
work  comprises  four  axioms  as  the  basis  for  trust 
propagation  and  aggregation.  Under  this  framework,  entro¬ 
py-based  and  probability-based  trust  models  are  proposed. 

Compared  to  the  works  cited  above,  we  also  consider 
both  direct  observations  and  indirect  recommendations 
for  trust  management.  However,  we  develop  new  mecha¬ 
nisms  based  on  threshold-based  filtering  and  relevance- 
based  trust  selection  to  select  trustworthy  recommenders 
to  mitigate  slandering  attacks,  and  consider  trust  decay 
over  space  and  time  during  trust  merging.  More  impor¬ 
tantly,  SQJrust  adjusts  the  weights  associated  with  direct 
trust  and  indirect  trust  to  minimize  trust  bias  in  response 
to  changing  environments. 

The  above  trust  management  protocols  assume  a  flat 
structure  in  MANETs  and  have  scalability  issues  when 
the  network  size  increases.  Verma  et  al.  [61]  and  Davis 
[62]  considered  hierarchical  trust  management  for  MAN¬ 
ETs.  In  their  hierarchical  trust  management  schemes,  each 
node  performs  trust  evaluation  locally.  However,  their 
schemes  heavily  rely  on  the  certificates  issued  off-line  or 
by  trusted  third  parties  which  typically  are  not  available 
in  MANET  environments. 

Our  trust  management  protocol  design  when  applying 
to  MANETs  can  handle  small,  flat  MANETs  as  well  as  large, 
hierarchically-structured  MANETs.  A  major  distinction  of 
our  work  from  the  above  cited  works  is  that  our  trust 
framework  covers  all  aspects  of  trust  management, 
namely,  trust  composition,  trust  aggregation,  trust  propa¬ 
gation,  and  trust  formation.  In  trust  composition,  we  ex¬ 
plore  novel  QoS  and  social  trust  metrics  pertinent  for 
modeling  node  behaviors  in  MANET  environments.  In  trust 
propagation  and  aggregation,  we  investigate  the  best  way 
to  combine  direct  trust  with  indirect  trust  for  individual 
trust  metrics  to  minimize  trust  bias.  In  trust  formation, 


we  investigate  the  best  way  to  combine  multidimensional 
trust  properties  for  application-level  performance  optimi¬ 
zation  illustrated  with  reliability  assessment  of  a  mis¬ 
sion-oriented  mobile  group. 

7.2.  Trust  metrics 

Many  QoS  performance  metrics  have  been  used  for 
trust  evaluation  in  MANETs,  such  as  control  packet  over¬ 
head,  throughput,  goodput,  packet  dropping  rate  and  de¬ 
lay.  Dependability  metrics  such  as  availability, 
convergence  time  to  reach  a  steady  state  in  trustworthi¬ 
ness  for  all  participating  nodes,  percentage  of  malicious 
nodes,  result  of  intrusion  detection  and  fault  tolerance 
based  on  reputation  thresholds  also  have  been  employed. 
Social  trust  metrics  have  also  been  employed  to  deal  with 
malicious  and  uncooperative  behaviors  in  MANETs.  Gol- 
beck  [17]  introduced  the  concept  of  social  trust  by  suggest¬ 
ing  the  use  of  social  networks  as  a  bridge  to  build  trust 
relationships  among  entities.  Yu  et  al.  [39]  used  social  net¬ 
works  to  evaluate  trust  values  in  the  presence  of  Sybil  at¬ 
tacks.  Very  recently,  Cho  et  al.  [10,63]  surveyed  trust 
management  schemes  for  MANETs  and  suggested  both 
QoS  trust  and  social  trust  be  considered  for  trust 
composition. 

Contrast  to  the  works  cited  above,  we  propose  combin¬ 
ing  social  trust  derived  from  social  networks  with  QoS 
trust  derived  from  communication  networks  to  obtain  a 
composite  trust  metric  as  a  basis  for  evaluating  trust  of 
mobile  nodes  in  MANET  environments,  recognizing  that  a 
mission-oriented  mobile  group  often  comprises  both  hu¬ 
man  and  non-human  operators  so  that  both  social  and 
QoS  trust  metrics  must  be  considered  for  mission-oriented 
mobile. 

7.3.  Trust  resiliency  and  accuracy 

Trust  management  aims  to  provide  a  secure  mechanism 
for  MANETs.  However,  trust  management  itself  faces 
attacks  from  malicious  nodes,  including  good-mouthing 
attacks  (recommending  a  bad  node  as  a  good  node), 
bad-mouthing  attacks  (recommending  a  good  node  as  a 
bad  node),  and  white-washing  attacks  (recommending 
itself  as  a  good  node).  Mundinger  and  Boudec  [27] 
performed  a  theoretical  analysis  on  the  robustness  of  a 
reputation  system  in  the  presence  of  liars  (providing  false 
recommendations).  They  claimed  that  there  is  a  liar  per¬ 
centage  threshold  above  which  lying  has  an  impact  and 
can  finally  corrupt  the  reputation  system.  The  reputation 
system  needs  to  compromise  between  fast-convergence 
and  accurate  trust  evaluation.  These  attacks  can  be  allevi¬ 
ated  by  taking  trust  recommendation  only  from  trusted 
recommenders  or  performing  statistical  analysis  on  the 
recommendation  values  to  remove  bias.  Zouridaki  et  al. 
[40  proposed  a  robust  cooperative  trust  scheme  for  secure 
routing  in  MANETs.  In  their  scheme,  recommenders  are 
chosen  in  the  order  of:  (1)  good  recommenders,  (2)  nodes 
with  recommender  trustworthiness  higher  than  a  thresh¬ 
old,  and  (3)  all  other  recommenders.  Balakrishnan  et  al. 
[59]  proposed  a  trust  protocol  for  MANETs  to  address 
similar  issues  (i.e.,  recommender’s  bias,  honest  elicitation, 
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and  free  riding )  in  trust  recommendations.  Buchegger  and 
Boudec  [58]  analyzed  the  effect  of  combining  rumors  (sec¬ 
ond-hand  information)  with  direct  observations  (first¬ 
hand  information)  during  trust  merging  and  concluded 
that  using  second-hand  information  not  deviating  too 
much  from  the  first-hand  information  can  significantly 
accelerate  the  detection  and  subsequent  isolation  of  mali¬ 
cious  nodes. 

Contrast  to  the  works  cited  above  which  used  simula¬ 
tion  to  test  trust  resiliency  and  accuracy,  we  address  the  is¬ 
sue  of  trust  protocol  resiliency  and  accuracy  by  design  and 
validation.  For  design,  we  develop  new  mechanisms  based 
on  threshold-based  filtering  and  relevance-based  trust  selec¬ 
tion  against  good-mouthing  or  bad-mouthing  attacks,  and 
dynamic  weight  adjustment  of  the  direct  and  indirect  trust 
components  to  minimize  trust  bias.  For  validation,  we 
demonstrate  our  protocol’s  resiliency  and  accuracy  by 
developing  a  novel  model-based  analysis  methodology 
with  simulation  validation. 

8.  Applicability 

The  identification  of  optimal  protocol  settings  in  terms 
of  to  minimize  trust  bias,  and  the  best  application- 
level  trust  optimization  setting  in  terms  of  W]:w2:w3:w4 
to  maximize  application  performance  is  performed  at  sta¬ 
tic  time.  One  way  to  apply  the  results  for  dynamic  trust 
management  is  to  build  a  lookup  table  at  static  time  listing 
the  optimal  protocol  settings  discovered  over  a  perceivable 
range  of  parameter  values.  Then,  at  runtime,  upon  sensing 
the  environment  conditions  matching  with  a  set  of  param¬ 
eter  values,  a  node  can  perform  a  simple  table  lookup 
operation  augmented  with  extrapolation/interpolation 
techniques  [69]  to  determine  and  apply  the  optimal  proto¬ 
col  setting  to  minimize  trust  bias  and/or  to  maximize 
application  performance  dynamically  in  response  to  envi¬ 
ronment  changes.  The  complexity  is  0(1)  because  of  the 
table  lookup  technique  employed. 

9.  Conclusion 

In  this  paper  we  addressed  the  performance  issue  of 
trust  management  protocol  design  for  MANETs  in  two 
important  areas:  trust  bias  minimization  and  application 
performance  maximization.  We  developed  a  novel  mod¬ 
el-based  methodology  based  on  SPN  techniques  for 
describing  the  behavior  of  a  mobile  group  consisting  of 
well-behaved,  malicious  and  uncooperative  nodes  given 
the  anticipated  system  operational  profile  as  input.  By 
using  a  probability  model  describing  node  behavior  in  a 
MANET  based  on  an  anticipated  operational  profile  given 
as  input,  we  derive  the  objective  trust  based  on  ground 
truth  status  of  nodes  as  time  progresses,  which  serves  as 
the  basis  for  identify  the  best  aggregation  protocol  setting 
in  terms  of  /fi : [S2  to  minimize  trust  bias,  and  the  best  appli¬ 
cation-level  trust  optimization  setting  in  terms  of 
w!:w2:w3:w4  to  maximize  application  performance. 

The  analytical  results  validated  by  extensive  simulation 
demonstrate  that  our  integrated  social  and  QoS  trust  pro¬ 
tocol  (SQTrust)  operating  at  its  optimizing  settings  is  able 


to  minimize  trust  bias,  thus  supporting  its  resiliency  prop¬ 
erty  to  bad-mouthing  and  good-mouthing  attacks  by  mali¬ 
cious  nodes.  Using  mission-oriented  mobile  groups  as  an 
application,  we  demonstrated  that  one  can  identify  and  ap¬ 
ply  the  best  trust  formation  to  maximize  the  application 
performance  in  terms  of  the  system  reliability. 

In  the  future  we  plan  to  explore  other  trust-based  MAN¬ 
ET  applications  such  as  trust-based  intrusion  detection 
[2,11,20,23,38]  and  service  composition  [70,71]  with 
which  we  could  further  demonstrate  the  design  notion  of 
application-level  trust  optimization  proposed  in  this  paper. 
We  also  plan  to  investigate  if  other  trust  formation  meth¬ 
ods  (other  than  the  linear  function  considered  in  this  pa¬ 
per)  would  be  more  effective  for  such  MANET 
applications,  and  perform  a  comparative  performance 
analysis  with  existing  methods  (e.g.,  Bayesian  [21  ]  or  fuzzy 
logic  [14]).  Lastly,  the  node  behavior  model  is  based  on 
persistent  attacks.  We  plan  to  consider  more  sophisticated 
attacker  models  such  as  random,  opportunistic,  and  insid¬ 
ious  attacks  [49,53-56]  with  fuzzy  failure  criteria  [45-47] 
applied  to  further  test  the  resiliency  of  our  trust  protocol 
design. 
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